Automated risk assessment based on machine generated investigation
First Claim
1. A method for monitoring network traffic using on one or more network computers over one or more networks, wherein the execution of instructions by the one or more network computers perform the method comprising:
- instantiating a monitoring engine to perform actions, including;
providing anomaly information that is associated with one or more anomalies that are associated with monitored network traffic; and
instantiating an inference engine that performs actions, including;
determining one or more users that are associated with the one or more anomalies associated with one or more portions of the monitored network traffic;
determining a communication channel that is associated with the one or more users based on the one or more anomalies and the one or more portions of the monitored network traffic, wherein the communication channel is separate from the monitored network traffic;
employing the communication channel to provide one or more investigative agents to the one or more users;
annotating the anomaly information to include one or more attributes based on one or more metrics that are associated with the one or more portions of the monitored network traffic that is associated with the one or more anomalies;
determining the one or more investigative agents based on the annotated anomaly information;
employing the annotated anomaly information to further determine the communication channel;
collecting investigative information from the one or more investigative agents over the communication channel; and
providing a risk value that is associated with the one or more anomalies based on the investigative information.
6 Assignments
0 Petitions
Accused Products
Abstract
Embodiments are directed to monitoring network traffic using a network computer. The network computer provides anomaly information associated with anomalies that may be associated with monitored network traffic. An inference engine may determine the users associated with the anomalies based on the monitored network traffic. A communication channel associated with the users may be determined based on the anomalies and the monitored network traffic such that the communication channel may be separate from the monitored network traffic. The communication channel may be employed to provide investigative agents to the users. Investigative information may be collected from the investigative agents over the communication channel. The inference engine may provide a risk value that is associated with the anomalies based on the investigative information.
44 Citations
24 Claims
-
1. A method for monitoring network traffic using on one or more network computers over one or more networks, wherein the execution of instructions by the one or more network computers perform the method comprising:
-
instantiating a monitoring engine to perform actions, including; providing anomaly information that is associated with one or more anomalies that are associated with monitored network traffic; and instantiating an inference engine that performs actions, including; determining one or more users that are associated with the one or more anomalies associated with one or more portions of the monitored network traffic; determining a communication channel that is associated with the one or more users based on the one or more anomalies and the one or more portions of the monitored network traffic, wherein the communication channel is separate from the monitored network traffic; employing the communication channel to provide one or more investigative agents to the one or more users; annotating the anomaly information to include one or more attributes based on one or more metrics that are associated with the one or more portions of the monitored network traffic that is associated with the one or more anomalies; determining the one or more investigative agents based on the annotated anomaly information; employing the annotated anomaly information to further determine the communication channel; collecting investigative information from the one or more investigative agents over the communication channel; and providing a risk value that is associated with the one or more anomalies based on the investigative information. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A system for monitoring network traffic in one or more networks:
-
one or more network computers, comprising; a transceiver that communicates over the one or more networks; a memory that stores at least instructions; and one or more processors that execute instructions that perform actions, including; instantiating a monitoring engine to perform actions, including; providing anomaly information that is associated with one or more anomalies that are associated with monitored network traffic; and instantiating an inference engine that performs actions, including; determining one or more users that are associated with the one or more anomalies associated with one or more portions of the monitored network traffic; determining a communication channel that is associated with the one or more users based on the one or more anomalies and the one or more portions of the monitored network traffic, wherein the communication channel is separate from the monitored network traffic; employing the communication channel to provide one or more investigative agents to the one or more users; annotating the anomaly information to include one or more attributes based on one or more metrics that are associated with the one or more portions of the monitored network traffic that is associated with the one or more anomalies; determining the one or more investigative agents based on the annotated anomaly information; employing the annotated anomaly information to further determine the communication channel; collecting investigative information from the one or more investigative agents over the communication channel; and providing a risk value that is associated with the one or more anomalies based on the investigative information; and one or more client computers, comprising; a transceiver that communicates over the network; a memory that stores at least instructions; and one or more processors that execute instructions that perform actions, including; providing one or more of the one or more portions of the monitored network traffic. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
13. A network computer for monitoring network traffic over one or more networks between two or more computers, comprising:
-
a transceiver that communicates over the network; a memory that stores at least instructions; and one or more processors that execute instructions that perform actions, including; instantiating a monitoring engine to perform actions, including; providing anomaly information that is associated with one or more anomalies that are associated with monitored network traffic; and instantiating an inference engine that performs actions, including; determining one or more users that are associated with the one or more anomalies associated with one or more portions of the monitored network traffic; determining a communication channel that is associated with the one or more users based on the one or more anomalies and the one or more portions of the monitored network traffic, wherein the communication channel is separate from the monitored network traffic; employing the communication channel to provide one or more investigative agents to the one or more users; annotating the anomaly information to include one or more attributes based on one or more metrics that are associated with the one or more portions of the monitored network traffic that is associated with the one or more anomalies; determining the one or more investigative agents based on the annotated anomaly information; employing the annotated anomaly information to further determine the communication channel; collecting investigative information from the one or more investigative agents over the communication channel; and providing a risk value that is associated with the one or more anomalies based on the investigative information. - View Dependent Claims (14, 15, 16, 17, 18)
-
-
19. A processor readable non-transitory storage media that includes instructions for monitoring network traffic over one or more networks using one or more network monitoring computers, wherein execution of the instructions by the one or more network computers perform the method comprising:
-
instantiating a monitoring engine to perform actions, including; providing anomaly information that is associated with one or more anomalies that are associated with monitored network traffic; and instantiating an inference engine that performs actions, including; determining one or more users that are associated with the one or more anomalies associated with one or more portions of the monitored network traffic; determining a communication channel that is associated with the one or more users based on the one or more anomalies and the one or more portions of the monitored network traffic, wherein the communication channel is separate from the monitored network traffic; employing the communication channel to provide one or more investigative agents to the one or more users; annotating the anomaly information to include one or more attributes based on one or more metrics that are associated with the one or more portions of the monitored network traffic that is associated with the one or more anomalies; determining the one or more investigative agents based on the annotated anomaly information; employing the annotated anomaly information to further determine the communication channel; collecting investigative information from the one or more investigative agents over the communication channel; and providing a risk value that is associated with the one or more anomalies based on the investigative information. - View Dependent Claims (20, 21, 22, 23, 24)
-
Specification